In the latest instalment of our Spotlight series, we talk to Assure Technical managing director Pete Rucinski about the Government-backed Cyber Essentials scheme.
Q: Hello Pete. Before we delve into the topic of cyber security, tell us a little bit about Assure Technical.
We were founded in 2011. Since then, it’s been our mission to help organisations develop security capabilities that build resilience and improve business performance. We understand the importance of appropriate cyber, physical and information security risk management and pride ourselves in delivering effective solutions to our clients.
In 2014, we became an IASME Accredited Certification Body. Since then, we have supported hundreds of organisations from a wide range of industries achieve Cyber Essentials, Cyber Essentials Plus and IASME Governance certifications.
Additional services we provide include vCISO Services and ISO 27001 consultancy.
We provide a range of competitively priced certification packages tailored to a company’s budget, timeframe and experience – including supported packages and turnkey solutions.
Q: Given the growing cyber threat in the UK and globally, these certifications are becoming increasingly important. What kind of attacks are businesses experiencing at the moment?
Phishing emails are a big thing at the moment. They’re fairly prolific and cyber criminals are getting better at tricking people into clicking on a malicious link. A few years ago, phishing emails were pretty obvious to the untrained eye as they’d be full of spelling mistakes, grammatical errors and inconsistencies. They looked wrong.
More recently, they’ve looked right. That means you’ve got to look a little bit deeper to determine whether the email is fraudulent or not. Not only is this where staff training comes into play, but things like your Cyber Essentials technical controls come into play as well – like having anti-malware software in place and ensuring that your Operating Systems and Software are updated are configured in a secure manner.
Q: Can you give us an example of a phishing email? How can a person tell the difference between a genuine email and one that’s fraudulent?
There’s quite a few banking related phishing emails and texts going around at the moment. It’s important that people remember banks will never email or text you asking to click on links and enter your details. If an individual or a company has been compromised, usually the root cause will have been either phishing email which will have brought them to a compromised website.
Perhaps the best piece of advice I can give is that every individual knows what their inbox should look like – they know which companies they should expect emails from. If you receive an email from a company you don’t recognise, think twice before opening it and proceed with caution. If in doubt verify its legitimacy by contacting the sender. It’s as simple as that.
Q: You've mentioned Cyber Essentials and how it can help protect SMEs from cyber attacks. Explain to us what the scheme is all about.
So, Cyber Essentials is a Government-sponsored scheme that is designed specifically to help organisations achieve a sound baseline of cyber security. It’s achievable, affordable and applicable to every type of business in the UK.
Enquire about Cyber Essentials via our Trusted Partners
There are two levels of certification: Cyber Essentials and Cyber Essentials Plus. Cyber Essentials involves a self-assessment questionnaire that defines the scope and establishes whether your organization has the necessary cyber security controls in place. These are malware protection, patch management, access control, secure configuration and boundary firewalls.
Cyber Essentials Plus follows on from the basic certification. It is a technical audit that assesses whether an organisation's devices and IT systems are performing as required.
It can sound a little daunting, but by the time an organisation has completed the process, they can be confident that their security controls are actually working effectively.
Q: Let’s take the first level – Cyber Essentials. What does it involve?
Our approach is to make the process as straight-forward and as pain-free as possible. Ultimately, we want companies to achieve the standard and be cyber secure.
Using our experience and expertise, we can offer a number of different packages that can be tailored to the client’s needs. Some of our clients have a good understanding of their IT Systems and Cyber Security – they essentially can answer the questionnaire on their own. But if a company doesn’t have that internal skillset, understanding, or available resource, we can assist by providing support, guidance and training as required to ensure that certification is achieved.
As well as delivering Cyber Essentials, we’re an independent moderator of the scheme. Our deep understanding of the standard enables us to apply it to achieve maximum benefit to our clients.
Q: How long does it take to complete the Cyber Essentials process?
We are a small and agile company so we are able to respond quickly to customer needs. We recently had a company, with a global footprint, call us on a Thursday night before Christmas saying ‘we need Cyber Essentials Plus by Tuesday’. We put a programme together that involved out-of-hours and weekend working, to ensure they met their deadline.
Q: How much does Cyber Essentials cost and to what extent will it protect businesses against cyber attacks?
It’s extremely affordable. Cyber Essentials can be purchased for around £300 and the certification lasts for 12 months. It’s definitely worth that investment as, according to the National Cyber Security Centre, the Cyber Essentials standard protects businesses from up to 80% of known common cyber threats.
Additionally it enables companies to satisfy supply chain requirements and improve their chances of retaining existing business and winning new business.